S3 Interface Endpoint from On-Prem Acccess Denied

0

Hello,

We have S3 Endpoint (interface type) created at eu-west-1 region.

We are trying to write to the buckets using the DNS created in eu-west-1 from our on-premise location connected via Direct Connect.

DNS: *.vpce-1234567890-abcd2zc.s3.eu-west-1.vpce.amazonaws.com

I have given the following permission in the bucket policy to write to these bucket but still when we try to upload/write to this bucket, we are getting Access Denied error as below.

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:PutObjectAcl",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3::<bucket-name>/*",
                "arn:aws:s3:::<bucket-name>"
            ]
        },
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:PutObjectAcl",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::<bucket-name>/*",
                "arn:aws:s3::<bucket-name>
            ]
        }
    ]
}

OTErrWrnLn||ERROR||-1||SERVICE||GBS3||<Bucket_Name> Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: 0QWNYWPJZY14EGRC; S3 Extended Request ID: sXic/CHy/OU5oakn7MBb6UESIbggdr9IxaILUiVuGMeUu7iZTUpIUpLeIUieNs82g6jXdBdQ3sU=)||-1||-1||-1|| Access Denied

I would like to know what permission is required to write to this bucket from on-premise please. Or any other steps or configuration I need to apply please.

When I run nslookup on the s3 endpoint from the on-prem server, it resolves to private IP.

BTW, it works when I enable Allow Public Access.

Thank you

2 Answers
0

When you say "I run nslookup on the s3 endpoint from the on-prem server, it resolves to private IP", what s3 endpoint do you mean? At some point you need to override DNS resolution of the standard s3 service name (as opposed to your vpc endpoint domain name) so that it no longer maps to a public IP. Within a VPC you can do that by directly overriding with a Private Hosted Zone, but in your hybrid situation where you need to do this on-prem, you need to delegate resolution via a Route 53 Resolver Endpoint. See for example https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver.html.

EXPERT
answered 2 years ago
  • The nslookup is on the S3 endpoint DNS: *.vpce-1234567890-abcd2zc.s3.eu-west-1.vpce.amazonaws.com which we are using to connect from on-premise and resolves to private IP.

0

A couple of the Resources in your policy don't look right - they are "s3::<bucket-name>" instead of "s3:::<bucket-name>". If you still have problems, what are you using to access S3 from on-prem?

EXPERT
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions